Pass the error of the IPsec callback to the caller. The dropped

counter is handled there.
OK tobhe@

diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c
index ca347c5..3d2f28e 100644 (file)
--- a/sys/netinet/ip_ah.c
+++ b/sys/netinet/ip_ah.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ip_ah.c,v 1.160 2021/10/23 22:19:37 bluhm Exp $ */
+/*     $OpenBSD: ip_ah.c,v 1.161 2021/10/24 14:24:29 bluhm Exp $ */
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -721,13 +721,7 @@ ah_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff)
        /* Release the crypto descriptors */
        crypto_freereq(crp);
 
-       error = ah_input_cb(tdb, tc, m, clen);
-       if (error) {
-               ipsecstat_inc(ipsec_idrops);
-               tdb->tdb_idrops++;
-       }
-
-       return 0;
+       return ah_input_cb(tdb, tc, m, clen);
 
  drop:
        m_freemp(mp);
@@ -1192,13 +1186,7 @@ ah_output(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
        /* Release the crypto descriptors */
        crypto_freereq(crp);
 
-       error = ah_output_cb(tdb, tc, m, ilen, olen);
-       if (error) {
-               ipsecstat_inc(ipsec_odrops);
-               tdb->tdb_odrops++;
-       }
-
-       return 0;
+       return ah_output_cb(tdb, tc, m, ilen, olen);
 
  drop:
        m_freem(m);

diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c
index ed287a1..d84ccbb 100644 (file)
--- a/sys/netinet/ip_esp.c
+++ b/sys/netinet/ip_esp.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ip_esp.c,v 1.179 2021/10/23 22:19:37 bluhm Exp $ */
+/*     $OpenBSD: ip_esp.c,v 1.180 2021/10/24 14:24:29 bluhm Exp $ */
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -546,13 +546,7 @@ esp_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff)
        /* Release the crypto descriptors */
        crypto_freereq(crp);
 
-       error = esp_input_cb(tdb, tc, m, clen);
-       if (error) {
-               ipsecstat_inc(ipsec_idrops);
-               tdb->tdb_idrops++;
-       }
-
-       return 0;
+       return esp_input_cb(tdb, tc, m, clen);
 
  drop:
        m_freemp(mp);
@@ -1055,13 +1049,7 @@ esp_output(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
        /* Release the crypto descriptors */
        crypto_freereq(crp);
 
-       error = esp_output_cb(tdb, tc, m, ilen, olen);
-       if (error) {
-               ipsecstat_inc(ipsec_odrops);
-               tdb->tdb_odrops++;
-       }
-
-       return 0;
+       return esp_output_cb(tdb, tc, m, ilen, olen);
 
  drop:
        m_freem(m);

diff --git a/sys/netinet/ip_ipcomp.c b/sys/netinet/ip_ipcomp.c
index 7efa768..59ac573 100644 (file)
--- a/sys/netinet/ip_ipcomp.c
+++ b/sys/netinet/ip_ipcomp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ipcomp.c,v 1.82 2021/10/23 22:19:37 bluhm Exp $ */
+/* $OpenBSD: ip_ipcomp.c,v 1.83 2021/10/24 14:24:29 bluhm Exp $ */
 
 /*
  * Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@wabbitt.org)
@@ -203,13 +203,7 @@ ipcomp_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff)
        /* Release the crypto descriptors */
        crypto_freereq(crp);
 
-       error = ipcomp_input_cb(tdb, tc, m, clen);
-       if (error) {
-               ipsecstat_inc(ipsec_idrops);
-               tdb->tdb_idrops++;
-       }
-
-       return 0;
+       return ipcomp_input_cb(tdb, tc, m, clen);
 
  drop:
        m_freemp(mp);
@@ -530,13 +524,7 @@ ipcomp_output(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
        /* Release the crypto descriptors */
        crypto_freereq(crp);
 
-       error = ipcomp_output_cb(tdb, tc, m, ilen, olen);
-       if (error) {
-               ipsecstat_inc(ipsec_odrops);
-               tdb->tdb_odrops++;
-       }
-
-       return 0;
+       return ipcomp_output_cb(tdb, tc, m, ilen, olen);
 
  drop:
        m_freem(m);